I am seeing these avc messages on a newly commissioned and up-to-date CentOs-6 virtual guest:
---- time->Thu Dec 4 12:14:58 2014 type=SYSCALL msg=audit(1417713298.610:60522): arch=c000003e syscall=2 success=no exit=-13 a0=7fd70e6de1e6 a1=0 a2=1b6 a3=0 items=0 ppid=2698 pid=4294 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2784 comm="trivial-rewrite" exe="/usr/libexec/postfix/trivial-rewrite" subj=unconfined_u:system_r:postfix_master_t:s0 key=(null) type=AVC msg=audit(1417713298.610:60522): avc: denied { read } for pid=4294 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=393240 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
We are using a locally built Postfix (Postfix-2.8+ is required to support postscreen and CentOS only provides 2.6.6)
rpm -qi postfix Name : postfix Relocations: (not relocatable) Version : 2.11.1 Vendor: (none) Release : 0.el6 Build Date: Thu May 15 14:38:25 2014 Install Date: Fri Nov 28 14:57:25 2014 Build Host: xnet242.hamilton.harte-lyne.ca Group : System Environment/Daemons Source RPM: postfix-2.11.1-0.el6.src.rpm Size : 13111458 License: IBM Signature : (none) URL : http://www.postfix.org Summary : Postfix Mail Transport Agent Description : Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), TLS
Re: SELinux. Do I just build a local policy or is there some boolean setting needed to handle this? I could not find one if there is but. . .
getsebool -a | grep postfix allow_postfix_local_write_mail_spool --> on
Am 04.12.2014 um 18:29 schrieb James B. Byrne:
I am seeing these avc messages on a newly commissioned and up-to-date CentOs-6 virtual guest:
time->Thu Dec 4 12:14:58 2014 type=SYSCALL msg=audit(1417713298.610:60522): arch=c000003e syscall=2 success=no exit=-13 a0=7fd70e6de1e6 a1=0 a2=1b6 a3=0 items=0 ppid=2698 pid=4294 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2784 comm="trivial-rewrite" exe="/usr/libexec/postfix/trivial-rewrite" subj=unconfined_u:system_r:postfix_master_t:s0 key=(null) type=AVC msg=audit(1417713298.610:60522): avc: denied { read } for pid=4294 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=393240 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
We are using a locally built Postfix (Postfix-2.8+ is required to support postscreen and CentOS only provides 2.6.6)
rpm -qi postfix Name : postfix Relocations: (not relocatable) Version : 2.11.1 Vendor: (none) Release : 0.el6 Build Date: Thu May 15 14:38:25 2014 Install Date: Fri Nov 28 14:57:25 2014 Build Host: xnet242.hamilton.harte-lyne.ca Group : System Environment/Daemons Source RPM: postfix-2.11.1-0.el6.src.rpm Size : 13111458 License: IBM Signature : (none) URL : http://www.postfix.org Summary : Postfix Mail Transport Agent Description : Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), TLS
Re: SELinux. Do I just build a local policy or is there some boolean setting needed to handle this? I could not find one if there is but. . .
getsebool -a | grep postfix allow_postfix_local_write_mail_spool --> on
https://bugzilla.redhat.com/show_bug.cgi?id=892024
Are you sure you are really up to date on CentOS 6?
https://rhn.redhat.com/errata/RHBA-2013-1598.html is old and meanwhile outdated. I don't have such a problem with the Postfix 2.11.3 package from ghettoforge on a current CentOS 6.6.
Alexander
On Thu, December 4, 2014 12:29, James B. Byrne wrote:
Re: SELinux. Do I just build a local policy or is there some boolean setting needed to handle this? I could not find one if there is but. . .
Anyone see any problem with generating a custom policy consisting of the following?
grep avc /var/log/audit/audit.log | audit2allow
#============= amavis_t ============== allow amavis_t shell_exec_t:file execute; allow amavis_t sysfs_t:dir search;
#============= clamscan_t ============== allow clamscan_t amavis_spool_t:dir read;
#============= logwatch_mail_t ============== allow logwatch_mail_t usr_t:lnk_file read;
#============= postfix_master_t ============== allow postfix_master_t tmp_t:dir read;
#============= postfix_postdrop_t ============== allow postfix_postdrop_t tmp_t:dir read;
#============= postfix_showq_t ============== allow postfix_showq_t tmp_t:dir read;
#============= postfix_smtp_t ============== allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr };
On 12/04/2014 03:22 PM, James B. Byrne wrote:
On Thu, December 4, 2014 12:29, James B. Byrne wrote:
Re: SELinux. Do I just build a local policy or is there some boolean setting needed to handle this? I could not find one if there is but. . .
Anyone see any problem with generating a custom policy consisting of the following?
grep avc /var/log/audit/audit.log | audit2allow
#============= amavis_t ============== allow amavis_t shell_exec_t:file execute; allow amavis_t sysfs_t:dir search;
#============= clamscan_t ============== allow clamscan_t amavis_spool_t:dir read;
In the latest rhel6 policies amavas_t and clamscan_t have been merged into antivirus_t? Is you selinux-policy up 2 date?
#============= logwatch_mail_t ============== allow logwatch_mail_t usr_t:lnk_file read;
#============= postfix_master_t ============== allow postfix_master_t tmp_t:dir read;
#============= postfix_postdrop_t ============== allow postfix_postdrop_t tmp_t:dir read;
#============= postfix_showq_t ============== allow postfix_showq_t tmp_t:dir read;
Any reason postfix would be listing the contents of /tmp or /var/tmp? Did you put some content into these directories that have something to do with mail?
#============= postfix_smtp_t ============== allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr };
On Fri, December 5, 2014 04:53, Daniel J Walsh wrote:
On 12/04/2014 03:22 PM, James B. Byrne wrote:
On Thu, December 4, 2014 12:29, James B. Byrne wrote:
Re: SELinux. Do I just build a local policy or is there some boolean setting needed to handle this? I could not find one if there is but. . .
Anyone see any problem with generating a custom policy consisting of the following?
grep avc /var/log/audit/audit.log | audit2allow
#============= amavis_t ============== allow amavis_t shell_exec_t:file execute; allow amavis_t sysfs_t:dir search;
#============= clamscan_t ============== allow clamscan_t amavis_spool_t:dir read;
In the latest rhel6 policies amavas_t and clamscan_t have been merged into antivirus_t? Is you selinux-policy up 2 date?
Yes, everything is up-to-date as of the time of report and I have checked again this morning. That system has no unapplied fixes for software provided through the official CentOS-6 repositories. Does this change apply only to 7 or has it been backported? Both amavisd-new and clamav are provided via the epel repository.
#============= logwatch_mail_t ============== allow logwatch_mail_t usr_t:lnk_file read;
#============= postfix_master_t ============== allow postfix_master_t tmp_t:dir read;
#============= postfix_postdrop_t ============== allow postfix_postdrop_t tmp_t:dir read;
#============= postfix_showq_t ============== allow postfix_showq_t tmp_t:dir read;
Any reason postfix would be listing the contents of /tmp or /var/tmp? Did you put some content into these directories that have something to do with mail?
That question I need put to the Postfix mailing list. I see nothing in the spec file that bears on the matter and the tarball was pulled from:
ftp://ftp.porcupine.org/mirrors/postfix-release/official/
#============= postfix_smtp_t ============== allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr };
On 12/05/2014 01:24 PM, James B. Byrne wrote:
On Fri, December 5, 2014 04:53, Daniel J Walsh wrote:
On 12/04/2014 03:22 PM, James B. Byrne wrote:
On Thu, December 4, 2014 12:29, James B. Byrne wrote:
Re: SELinux. Do I just build a local policy or is there some boolean setting needed to handle this? I could not find one if there is but. . .
Anyone see any problem with generating a custom policy consisting of the following?
grep avc /var/log/audit/audit.log | audit2allow
#============= amavis_t ============== allow amavis_t shell_exec_t:file execute; allow amavis_t sysfs_t:dir search;
#============= clamscan_t ============== allow clamscan_t amavis_spool_t:dir read;
In the latest rhel6 policies amavas_t and clamscan_t have been merged into antivirus_t? Is you selinux-policy up 2 date?
Yes, everything is up-to-date as of the time of report and I have checked again this morning. That system has no unapplied fixes for software provided through the official CentOS-6 repositories. Does this change apply only to 7 or has it been backported? Both amavisd-new and clamav are provided via the epel repository.
rpm -q selinux-policy
selinux-policy-3.7.19-260.el6 is the current policy in development.
#============= logwatch_mail_t ============== allow logwatch_mail_t usr_t:lnk_file read;
#============= postfix_master_t ============== allow postfix_master_t tmp_t:dir read;
#============= postfix_postdrop_t ============== allow postfix_postdrop_t tmp_t:dir read;
#============= postfix_showq_t ============== allow postfix_showq_t tmp_t:dir read;
Any reason postfix would be listing the contents of /tmp or /var/tmp? Did you put some content into these directories that have something to do with mail?
That question I need put to the Postfix mailing list. I see nothing in the spec file that bears on the matter and the tarball was pulled from:
ftp://ftp.porcupine.org/mirrors/postfix-release/official/
#============= postfix_smtp_t ============== allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr };
-
Alexander Dalloz -
Daniel J Walsh -
James B. Byrne